One of the most common questions I get is whether a particular disclosure constitutes a breach that requires notification to the individual and completing a breach notification report with the Office for Civil Rights. No one likes to “fess up” that their organization has had a breach; consequently I see organizations doing some pretty interesting gyrations to keep from classifying a disclosure as a breach so they don’t have to meet the requirements of the Breach Notification Rule. The determination of whether a disclosure is a breach such that notification is required is a pretty straightforward process as long as it is done objectively and honestly.
Use of what is known as the “Four Factor Test” provides the framework for making the determination. If an organization can honestly answer each of the four questions by saying it supports a low probability the PHI was compromised, no notification is required. But, if even just one of the four factors is anything but low probability, breach notification is required and the time standards of the Rule must be followed. The four questions are as follows:
1. What types and amount of PHI was involved and how likely is it that individuals could be identified if PHI is combined with other available information? Take into consideration whether sensitive identifiable information such as date of birth, SSN or financial information, or sensitive medical information such as mental health, medications or test results is involved such that the risk of identity theft, financial fraud or other harm to the individual is increased.
2. Who is the unauthorized person who used or had access to the PHI or to whom was the disclosure made? Take into consideration whether the PHI was impermissibly disclosed or used within the Company or outside the organization. Did the person who used or had access to the PHI have a legal obligation to protect the information (i.e. another covered entity or a government employee)? If so, there may be a lower probability that the PHI has been compromised.
3. Was the PHI actually acquired or viewed? Did someone actually view, read or even look at the PHI that was disclosed? How many people viewed or had access to the PHI? If the disclosure was electronic, was it forwarded, saved or archived on the recipient’s computer?
4. To what extent has the risk to the PHI been mitigated? Has the PHI been returned? Does the Company have written confirmation the PHI was/will be destroyed? Does the Company have the recipient’s written confirmation the PHI will not be used or further disclosed?
As is stated above, unless all four factors clearly support a low probability of compromise of the PHI, breach notification is required. If the breach impacts less than 500 people, Individuals must be notified within 60 days of discovery of the breach and a report filed with the OCR no later than 60 days after the end of the calendar year in which the breach occurred. If 500 or more people are impacted, very different notification requirements exist (media notification) and the report to the OCR must be made within 60 days of discovery.